It said that when it received the alert about malware it began looking into it, and indeed it apparently is still looking into it. "Google Webmaster Tools were initially quite delayed in showing the reason why and when they did it looked a lot like a false positive because we had some minified/obfuscated javascript being dynamically injected into userprefs.js," it said.

"This looked suspicious to us as well, but it was actually written to do exactly that so we were quite certain it was a false positive, but we kept digging."

The firm pored over access logs until it found a file that apparently had been altered by someone.

"It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted," it added.

"Google's crawler caught one of these small windows where the wrong file was being served, but of course, when we looked at it manually it looked fine. So more confusion. We are still investigating how someone caused that file to be changed."

Since then the firm has continued an audit of its systems and has removed two compromised servers from its network. PHP.net users should expect to receive password change notifications in the next couple of days.